When it comes to privacy, both Google’s Chrome OS and Microsoft’s Windows 10 take an “opt-out” stance.

By default, both platforms collect a variety of data about your usage, but the way they go about it is often different. While Microsoft presents users with a long list of privacy-related toggles, Google’s controls are less granular. Both companies, however, make you jump through additional hoops to disable the kind of personalized ads that help them turn a profit.

PCWorld recently broke down all the ways Microsoft grabs at your data in Windows 10, so it’s only fair we compare that to Google’s computing platform. Here’s how Chrome OS and Windows 10 measure up on privacy and data collection.

Should the FBI prevail in getting Apple to offer a backdoor for an encrypted iPhone, the agency may have trouble getting anyone to build it.

At least that’s the word from several current and former Apple employees—including security engineers—who spoke anonymously to the New York Times. Some said they’re refuse to do the work, or quit their jobs if necessary, rather than create what they believe is a major security compromise for all users.

Apple is currently appealing a U.S. District Court order to build a separate version of iOS that would allow the FBI to unlock one particular iPhone 5c. The FBI wants access to the phone of Syed Rizwan Farook, one of the shooters responsible for killing 14 people and injuring 22 others in San Bernadino last December. With iOS 8 and higher, unsuccessfully guessing the phone’s password too many times automatically erases the phone’s data, so the FBI wants Apple to load a separate version that allows unlimited brute force password attempts.

Mac and Windows users could end up in some bad Internet neighborhoods by not typing the “c” in “.com” websites.

As reported by Threatpost, Security vendor Endgame recently discovered widespread “typosquatting” with the “.om” domain name, in which bad actors attempt to dupe people who mistype common URLs. In this case, more than 300 malicious URLs have latched onto the Country Code Top-Level Domain for Oman, which users might accidentally enter instead of .com” Some examples include samsung.om, delta.om, and netflix.om.

Mastercard is working on a new app that provides extra security when buying things online. But instead of just demanding a password, the app will offer to verify your identify with a selfie.

The app is coming this summer for phones, tablets, and PCs, and will be available in the United States, United Kingdom, Canada, Netherlands, Belgium, Spain, Italy, France, Germany, Switzerland, Norway, Sweden, Finland, and Denmark, the BBC reports. Mastercard has been testing these capabilities since last summer.

With selfie checks, users will have to blink for the camera to prevent against spoofing the system with a photo. Alternatively, users will be able to verify themselves with a fingerprint, through systems like Apple’s Touch ID. Mastercard says it will transmit this data in a way that can’t be stolen or used by scammers.

While Pichai noted that Google provides data access to law enforcement when legally required, that’s different from making tech companies enable hacking of customers’ devices and data. “Could be a troubling precedent,” Pichai added.

Instagram will soon let users hack-proof their accounts with two-factor authentication, following the footsteps of other big social networks like Facebook and Twitter.

With two-factor authentication, users receive a text message containing a one-time code whenever they try to login on a new device. Users must then enter that code along with their email and regular password. This helps prevent remote hacking attempts by requiring physical access to the phone where the text message is sent.

According to TechCrunch, Instagram has been testing two-factor authentication for some users, and is now planning to roll out the security feature for anyone who wants it.

The type of dangerous adware that Lenovo pre-loaded on PCs earlier this year will soon be banned entirely from Windows devices.

In a post on its TechNet blog (via Engadget), Microsoft said it will no longer allow ad injection software that uses “man-in-the-middle” techniques, such as injection by proxy, changing DNS settings, and network layer manipulation. Microsoft will begin enforcing the rules on March 31, 2016.

Once the policy goes into effect, adware will only be allowed through browsers’ official extensibility methods. In other words, if you want to see adware in Chrome for some reason, you’ll have to go to the Chrome Web Store and install it yourself. You’d then be able to uninstall the adware just as easily through Chrome’s extensions menu.

Microsoft’s privacy policy is looking a little less frightening with a set of revisions that quietly landed last month.

As documented by Ed Bott at ZDNet, the updated policy appears to address fears over data collection in Windows 10, and on services such as OneDrive and Outlook. In many cases, Microsoft has added specifics and examples to show exactly where and why it accesses personal data.

For instance, one passage previously described how Microsoft will “access, disclose and preserve” personal data such as “the content of your emails, other private communications, or files in private folders” for law enforcement, customer protection, or maintenance purposes. The revised policy replaces the vague “private communications” with “in Outlook.com,” and adds the phrase “in private folders on OneDrive.” In other words, Microsoft isn’t spying on the contents of your local storage or helping itself to all manners of communication.

Security researchers have discovered a fiendish form of browser malware that stands in for your copy of Google Chrome and hopes you won’t notice the difference.

As reported by PCRisk, the “eFast Browser” works by installing and running itself in place of Chrome. It’s based on Google’s Chromium open-source software, so it maintains the look and feel of Chrome at first glance, but its behavior is much worse.

First, makes itself the default and takes over several system file associations, including HTML, JPG, PDF, and GIF, according to MalwareBytes. It also hijacks URL associations such as HTTP, HTTPS, and MAILTO, and replaces any Chrome desktop website shortcuts with its own versions. Essentially, eFast Browser makes sure to open itself at any opportunity.

Crowdfunding site Patreon has become the latest victim of a data breach, though this one’s slightly more interesting than your garden variety hack.

Patreon acknowledged the breach on September 30, saying that hackers gained access to names, email addresses, posts, and some shipping addresses, along with some billing addresses that added prior to 2014. The site also reported unauthorized access to encrypted passwords, social security numbers, and tax form information. Credit card data wasn’t compromised in the breach.

The theft of encrypted passwords and social security numbers isn’t unheard of in data breaches, and while it’s possible to crack the encryption with enough effort, Patreon at least used a powerful hashing function called bcrypt. This should make any cracking attempts much slower and more difficult due to the computational power required.

Lenovo isn’t doing its reputation any favors with the discovery of another security issue around its pre-loaded PC software.

The latest issue relates to a “feature” in Lenovo’s BIOS firmware that automatically downloads Lenovo software and services, even if the user has performed a clean install of Windows. Microsoft actually allows this practice, but Lenovo’s particular implementation—dubbed “Lenovo Service Engine”—led to a security vulnerability, which an independent security researcher discovered in the April to May timeframe.

In response, Microsoft has put out security guidelines for this BIOS technique, which it calls the “Windows Platform Binary Table.” Because Lenovo Service Engine doesn’t meet those guidelines, Lenovo has stripped the tool from its BIOS firmware in all PCs shipped after June. The company has also released a special disabler tool, and on July 31 released a BIOS update to remove the tool from existing PCs. Dozens of consumer laptop and desktop models are affected, but Lenovo says its Think-brand PCs are not.

The Electronic Frontier Foundation is trying to make “Do Not Track” more meaningful with some clear rules for the web to follow.

The new policy seeks to stop websites and advertisers from tracking users through cookies, fingerprints, and supercookies when users enable the Do Not Track setting in their browsers. Most notably, the policy makes clear that websites should not even collect this data for themselves, let alone use it to track users across the web. (Some exceptions apply, such as collecting data to comply with the law, or to complete an online purchase.)